Introducing Dynamic OSCAL Content Authoring

June 30, 2022 | By J. Travis Howerton

National Institute of Standards and Technology (NIST) Open Security Controls Assessment Language (OSCAL) is a set of formats expressed in XML, JSON, and YAML to provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. This standard represents the government’s move toward compliance as code based on a data-centric, integrated, extensible, and automated framework published by NIST. At RegScale, we view continuous compliance automation as the future of Governance, Risk, and Compliance (GRC) and a necessary component of any scalable cloud strategy. OSCAL will play a critical role as a standards-based format for exchanging machine readable compliance information in the cloud. As more and more vendors adopt the OSCAL standard over time, tools will be needed to publish and ingest OSCAL to perform automated checks that inform risk-based decisions.

To that end, RegScale was an early adopter of OSCAL and published our Community Edition (CE) version of the platform as a free tool that allows customers to create and publish OSCAL content. In so doing, we became the first free OSCAL publishing tool in the market. However, we didn’t want to settle for being the first OSCAL tool, we wanted to be the best. To that end, we are excited to announce an amazing new feature for dynamic OSCAL content authoring. So what do we mean by dynamic authoring and why does it matter to you?

First, OSCAL is a beautiful standard for generating machine readable compliance as code. However, the human experience in looking at OSCAL is less desirable. When we import raw OSCAL into RegScale and render it, it generates a user experience that looks like the below:

You quickly see machine readable tags that indicate the statements, objectives, parameters, etc. that are contained within any given control definition. These are useful for machine parsing but confusing when viewed by a typical information assurance or audit professionals. To bridge this gap, we have built a dynamic OSCAL content authoring system which lets you inherit the objectives and parameters from the control into its specific implementation in a given System Security Plan (SSP) or Component. As you assess objectives and define your parameters, the policy statement is dynamically updated to reflect these changes. The result is an intuitive and human-readable output that reflects the control’s status while still being able to generate and expose the raw OSCAL for the machine readable version. An example output is shown below:

You can quickly see that the confusing brackets are now gone. Statement IDs are hidden, parameters are updated with the text provided and color-coded for quick identification, and objectives get color coded icons that represent the assessment status for that objective (i.e. Fully Implemented, Partially Implemented, Not Implemented, or Not Applicable). As assessment and parameter data changes, either through manual or automated assessments using our APIs, the control language updates dynamically in real-time to reflect the current status. The result is that the control is now easy to understand and follow for both the human and the machine, providing an optimized experience for both. Included in version 4.3 and greater of our platform, RegScale has announced our support for dynamic OSCAL content authoring which is available now for free to our customers.

With the release of our OSCAL Dynamic Content Authoring system, RegScale now has the best support for OSCAL in the market with our free publishing, authoring, and bulk uploading tools into our Compliance Automation Platform. Schedule a free demo today to learn how RegScale can help you leverage OSCAL for continuous compliance. If you are ready to start automating your compliance processes for creating and managing OSCAL, this demo will also show how you can leverage RegScale to accelerate your OSCAL journey while improving the user experience for your compliance professionals. In addition to offering free tools, we have experienced compliance professionals who can assist you in creating robust OSCAL artifacts that will help you pass audits and reduce your risk with ease. With RegScale, our customers get software with a service to provide a concierge like experience for accelerating their OSCAL journey.


Ready to get started?

Choose the path that is right for you! 

Skip the line

My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now. 


My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.